b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n           STATUS OF THE\n SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nIMPLEMENTATION OF FISCAL YEAR 2000\n    MANAGEMENT LETTER ISSUES\n\n  September 2002     A-15-02-12046\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  m Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  m Promote economy, effectiveness, and efficiency within the agency.\n  m Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  m Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  m Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  m Independence to determine what reviews to perform.\n  m Access to all information necessary for the reviews.\n  m Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                       SOCIAL SECURITY\nMEMORANDUM\n\nDate:      September 20, 2002                                                    Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Status of the Social Security Administration\xe2\x80\x99s Implementation of Fiscal Year 2000\n           Management Letter Issues (A-15-02-12046)\n\n\n           OBJECTIVE\n\n           This is a follow-up audit to the PricewaterhouseCoopers LLP (PwC), \xe2\x80\x9cFY 2000\n           Management Letter \xe2\x80\x93 Part 2, Recommendations to Improve Management Controls and\n           Operations Resulting from the Fiscal Year 2000 Financial Statement Audit,\xe2\x80\x9d dated\n           November 30, 2000. The objective of this follow-up audit was to determine the status\n           of corrective action on selected findings and recommendations in the management\n           letter referred to above.\n\n           BACKGROUND\n           In Fiscal Year (FY) 2000, PwC, an independent Certified Public Accounting firm,\n           performed an audit of the consolidated financial statements of the Social Security\n           Administration (SSA) as of and for the year ending September 30, 2000. PwC issued\n           its Report of Independent Accountants, dated November 30, 2000, which is included in\n           SSA\xe2\x80\x99s Performance and Accountability Report for FY 2000. The Office of the Inspector\n           General (OIG) monitored the work of PwC.\n\n           The primary objectives of the financial statement audit were to:\n\n           \xc2\xb7   Give an opinion on the SSA financial statements as of and for the year ending\n               September 30, 2000, including the related notes.\n           \xc2\xb7   Give an opinion as to whether SSA management\xe2\x80\x99s assertion about the effectiveness\n               of its internal control was fairly stated.\n           \xc2\xb7   Issue a report on SSA\xe2\x80\x99s compliance with applicable laws and regulations.\n           \xc2\xb7   Determine whether any material inconsistency was found between the financial\n               statements and the accompanying overview and supplemental information\n               (including performance measures), and PwC\xe2\x80\x99s understanding of relevant internal\n               control for the reported performance measures, its determination as to whether they\n               had been placed in operation, and its assessment of the related control risk.\n\x0cPage 2 \xe2\x80\x93 The Commissioner\n\n\nThe audit of SSA\xe2\x80\x99s financial statement also identified conditions that did not have a\nmaterial impact on the financial statements. To report these conditions, PwC issued\nManagement Letters \xe2\x80\x93 Part 1 and Part 2 to SSA addressing areas in need of\nmanagement attention. Management Letter, Part 1, conveys details of a sensitive\nnature to SSA and is, therefore, restricted in its use. It is considered a limited\ndistribution report. Management Letter \xe2\x80\x93 Part 2, contains issues of a general nature\nand is not limited in its distribution, but is intended as information for management and\nthe Inspector General of SSA. In accordance with applicable standards, the\nManagement Letter issues were not considered by PwC to be material weaknesses or\nreportable conditions. Nonetheless, the letters contain both findings and\nrecommendations requiring management action.\n\nSCOPE AND METHODOLOGY\nWe performed follow-up audit work on 22 of the 58 recommendations published in\nPwC\xe2\x80\x99s FY 2000 Management Letter \xe2\x80\x93 Part 2. We selected recommendations from the\nFY 2000 report that, in our opinion, were the most important for SSA to implement.\nBecause the original audit was SSA-wide, the findings and recommendations covered\nvarious offices within SSA. For the specific findings we reviewed, see Appendix A.\n\nTo accomplish our objective, we:\n\n\xc2\xb7   Validated SSA\xe2\x80\x99s reported status of management action on selected\n    recommendations.\n\xc2\xb7   Determined whether corrective action has addressed the recommendations.\n\nWe conducted our review from December 2001 through March 2002, at SSA\nHeadquarters in Baltimore, Maryland. Our audit was conducted in accordance with\ngenerally accepted government auditing standards.\n\nRESULTS OF REVIEW\n\nOf the 22 recommendations we selected, SSA reported that it completed work on\n11 recommendations. SSA agreed with, but had not fully completed corrective actions\non the remaining 11 recommendations.\n\nOIG\xe2\x80\x99s Evaluation of SSA Corrective Actions\n\nWe evaluated SSA\xe2\x80\x99s progress and corrective actions by: interviewing the responsible\nSSA contact officials; reviewing PwC\xe2\x80\x99s work conducted during the FY 2001 financial\nstatement audit; and performing audit tests where necessary. In some cases, we relied\non the audit work performed by PwC during the FY 2001 financial statement audit. The\nresults of our review are as follows:\n\x0cPage 3 \xe2\x80\x93 The Commissioner\n\n\n                 Audit Results                       Findings/Recommendations\n\n\nOIG agrees with SSA\xe2\x80\x99s reported status                              19\n\nOIG disagrees with SSA\xe2\x80\x99s reported status                            3\n\nTotal                                                              22\n\nSummary of OIG\xe2\x80\x99s Findings\n\n1. PwC recommended SSA complete the drafting and implementation of program\n   service center (PSC) change control procedures and consider assigning the\n   production environment to non-programmers. SSA agreed with this\n   recommendation and reported that work on this recommendation was complete.\n   OIG determined that corrective action is not complete. SSA has developed\n   standardized change control procedures for the PSCs. However, a systems change\n   still needs to be made to limit programmer access to the production environment at\n   the PSCs. SSA stated that it expected to complete this change by the end of\n   April 2002. However, as of April 2, 2002, this was not completed. See finding\n   II.B.2. on pages 3-4 of Appendix A.\n\n2. PwC recommended SSA enhance the current re-certification process by\n   implementing a standard profile for each position requiring access to the Financial\n   Accounting System (FACTS), and a requirement that access be requested in terms\n   of the standard profile. SSA agreed with this recommendation and reported that\n   work on this recommendation would be completed by August 31, 2001. OIG\n   determined that corrective action was not completed by August 31, 2001. SSA has\n   created standard profiles for all of the FACTS users. However, as of April 5, 2002, a\n   re-certification had not been completed. It is important that the re-certification\n   process is completed to ensure that the level of access currently held by FACTS\n   users matches their standard profiles. See finding V.A.5. on pages 28-29 of\n   Appendix A.\n\n3. PwC recommended SSA document the process which should be followed regarding\n   possible disputes with the Department of Treasury (Treasury) and determine that\n   Treasury is in agreement with all aspects of SSA\xe2\x80\x99s procedures of estimating the tax\n   revenues and for resolving discrepancies. SSA agreed with this recommendation\n   and reported that procedures would be in place by August 31, 2001. SSA did issue\n   its accounting manual chapter; however, Treasury has not yet established a\n   Memorandum of Understanding (MOU) with SSA. This was scheduled to take place\n   during FY 2002. SSA believes the finding should be closed. OIG agrees that SSA\n   has completed all work that it can at this time and can close this finding. We\n   encourage SSA to monitor Treasury\xe2\x80\x99s actions to formalize the MOU. See finding\n   VI.B.1. on pages 40-41 of Appendix A.\n\x0cPage 4 \xe2\x80\x93 The Commissioner\n\n\n4. PwC recommended that SSA develop and document a comprehensive set of\n   policies and procedures regarding the Limitation on Administrative Expenses (LAE)\n   program to outline how transactions are processed, allocated, and reported. SSA\n   agreed with the recommendation and stated that the documentation would be\n   complete by August 31, 2001. OIG determined that corrective action on this\n   recommendation was not complete as of January 30, 2002. SSA had drafted LAE\n   Accounting and Reporting procedures in August 2001. SSA recently revised the\n   draft procedures, but has not completed this effort. See finding VI.C.2. on pages\n   44-45 of Appendix A.\n\nCONCLUSION AND RECOMMENDATIONS\nBased on our work, we determined that SSA has implemented 8 of the\n22 recommendations we selected for examination from PwC\xe2\x80\x99s FY 2000 Management\nLetter \xe2\x80\x93 Part 2. SSA has not fully implemented the remaining 14 recommendations,\nalthough some actions have been taken to begin addressing these issues. Of the\n14 recommendations not fully implemented, only 4 were new recommendations made\nduring the FY 2000 financial statement audit.\n\nYEAR RECOMMENDATIONS WERE                  NUMBER OF RECOMMENDATIONS\n      FIRST REPORTED                        WHERE CORRECTIVE ACTION IS\n                                                   INCOMPLETE\n            1997                                        7\n            1998                                        2\n            1999                                        1\n            2000                                        4\nTOTAL INCOMPLETE                                       14\n\nSince PwC has already made these recommendations in the FY 2000 Management\nLetter \xe2\x80\x93 Part 2, we will not include duplicate recommendations in this report. However,\nSSA should continue to work to bring all of the issues identified by PwC to closure\nwithin the next audit cycle. In addition, in April 2002, PwC issued the FY 2001\nManagement Letter \xe2\x80\x93 Parts 1 and 2, which makes further recommendations for some of\nthe issues discussed in this report.\n\nAGENCY COMMENTS AND OIG RESPONSE\nSSA did not disagree with our findings presented in the formal draft report, but stated\nthat it has completed work or will shortly complete work on the four recommendations\nwhere OIG disagreed with SSA\xe2\x80\x99s reported status. SSA stated that finding 1 under the\n\xe2\x80\x9cResults of Review\xe2\x80\x9d section of this report will be completed in 6 weeks. SSA stated that\nfinding 2 was completed on May 6, 2002. However, based on our discussions with\nPwC, FY 2002 testing found individuals who had left SSA\xe2\x80\x99s Office of Finance, but still\nhad access to FACTS. With respect to finding 3, we agree that SSA has completed as\nmuch as it can at this time. Based on SSA\xe2\x80\x99s comments to our formal draft report, we\nhave reconsidered our position and agree to close this finding. However, we believe\n\x0cPage 5 \xe2\x80\x93 The Commissioner\n\n\ntrust fund tax revenue estimation is a critical process, and we encourage SSA to\nmonitor Treasury\xe2\x80\x99s efforts to complete an MOU. Lastly, SSA stated that the LAE\naccounting policies and procedures discussed in finding 4 are now complete. However,\nOIG did not conduct further testing to validate the new accounting procedures.\n\n\n\n\n                                             James G. Huse, Jr.\n\x0c                                    Appendices\nAPPENDIX A \xe2\x80\x93 Audit Results: FY 2000 Management Letter Part 2\n\nAPPENDIX B \xe2\x80\x93 Table of Acronyms\n\nAPPENDIX C \xe2\x80\x93 Agency Comments\n\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                           Appendix A\nAudit Results \xe2\x80\x93 FY 2000 Management Letter \xe2\x80\x93 Part 2\n\x0cReport Section/Area       Application Development and Change Control \xe2\x80\x93\n                          Scope of Application Programmer Duties\n\nFinding/Rec Number        II.B.1.\n\nPwC Finding               In prior year audits we noted that the existing\n                          architecture for the change control process is\n                          Endevor software, which records programmatic\n                          changes within the Development to Validation\n                          process. A program change will then migrate to final\n                          production through the use of both SSA home grown\n                          and third party software. We previously\n                          recommended that SSA establish a QA library where\n                          only validated software that is ready to be moved into\n                          production will reside. In addition to the establishment\n                          of this QA library, SSA was considering expanding\n                          the role of Endevor to be included within the\n                          Validation to Integration and Integration to Production\n                          stages of the program change control process. At this\n                          time, SSA is analyzing whether utilizing the additional\n                          capabilities of Endevor software would provide the\n                          most effective controls. If Endevor\'s capabilities prove\n                          effective, implementation of these capabilities would\n                          replace the use of the QA library, provide controlled\n                          migration of code between regions and protect source\n                          code and load modules from unauthorized tampering.\n\nPwC Recommendation        SSA should expedite its assessment of the potential\n                          use of Endevor in the Validation to Integration and\n                          Integration to Production phases of the system\n                          change control process. If, as a result of this\n                          assessment, SSA decides not to use Endevor in lieu\n                          of establishing a QA library for this purpose, the\n                          agency should continue to work towards\n                          implementing the QA library for use in moving\n                          validated software into production.\n\nSSA Management Response   We agree. SSA has completed an extensive\n                          assessment of a number of options including\n                          ENDEVOR to properly maintain the scope of\n                          programmer duties in the release of executable\n                          applications. An enhanced version of the QA solution\n                          recommended by PwC has been approved by\n                          development. It will be an automated process which\n                          incorporates the SRCOL approval software (see\n\n\n                                    A-1\n\x0c                             II.A.2.), a Quality Assurance library, enhancements to\n                             SRCOL for movement of executables and establishes\n                             various automated alerts to assure the proper\n                             separation of duties as noted in prior year audits.\n\nCross Reference              FY99 Management Letter - Part 2, II.2.A; FY98\n                             Management Letter - Part 2, II.2.A; FY97\n                             Management Letter - Part 2, III.2.A.\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       ENDEVOR was determined not to be a suitable tool\n                             for maintaining separation of duties. However, as\n                             noted in the Agency\'s initial response, a QA solution\n                             is being developed. We expect initial rollout to occur\n                             in March 2002, and full deployment by September\n                             2002.\n\nSSA Target Date              September 1, 2002\n\nEnd Date \xe2\x80\x93 OIG Review        1/10/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA is ready to start validation of the QA\n                             solution it developed (called QA2), which should be\n                             complete in the spring of 2002. Rollout is still\n                             planned for the fall of 2002.\n\n\n\n\n                                       A-2\n\x0cReport Section/Area       Application Development and Change Control -\n                          Scope of Application Programmer Duties\n\nFinding/Rec Number        II.B.2.\n\nPwC Finding               The current manual change control process in place\n                          at PSCs is ineffective. PSC programmers have the\n                          ability to develop and maintain code while at the\n                          same time being allowed to move programs into the\n                          production environment. This increases the risk that\n                          programs adversely impacting the normal processing\n                          of information (e.g., programs to suppress alerts\n                          and/or exceptions), unauthorized programs, and/or\n                          unauthorized changes to authorized programs can be\n                          implemented into production.\n\n                          SSA Headquarters has formed a productivity\n                          workgroup which is addressing this issue through the\n                          development of procedures detailing the migration of\n                          programs into the production environment, and the\n                          change control process surrounding those programs.\n\nPwC Recommendation        The Headquarters productivity workgroup should\n                          complete the drafting and implementation of PSC\n                          change control procedures. These procedures\n                          provide for removing the ability of PSC programmers\n                          to migrate new and modified programs into the\n                          production environment. In this regard, SSA should\n                          consider assigning the production environment to\n                          non-programmers, as suggested by the productivity\n                          workgroup.\n\nSSA Management Response   We agree. Operations implemented a standardized\n                          change control process in the PSCs effective January\n                          2, 2001. The PSC local programmers also reached a\n                          consensus on limiting programmer access to\n                          production software. A workgroup consisting of DCO\n                          and DCS personnel in cooperation with local PSC\n                          programmers are developing a TOP SECRET\n                          process to assure separation of duties. Once\n                          implemented, access to the production environment\n                          will be limited to non-programming personnel.\n\nCross Reference           New\n\n\n\n                                    A-3\n\x0cSSA Action Plan              See management response.\n\nCurrent Status per SSA       The PSCs have developed a change control process\n                             that will require review and management signoff prior\n                             to moving any new software or modification to\n                             existing software from development to production.\n                             This process is being used at all seven PSCs.\n                             Originals of change control forms will be retained by\n                             the Integrity staff at each PSC to document this\n                             process.\n\nSSA Target Date              Completed\n\nEnd Date \xe2\x80\x93 OIG Review        1/15/02\n\nOIG Confirmation of Status   Disagree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA has developed standardized\n                             change control procedures for the processing centers.\n                             However, TOP SECRET has not been changed to\n                             limit programmer access at the processing centers to\n                             the production environment. On April 2, 2002 SSA\n                             informed OIG that it expected to complete this\n                             change by the end of April 2002.\n\n\n\n\n                                       A-4\n\x0cReport Section/Area       Service Continuity\n\nFinding/Rec Number        III.2.\n\nPwC Finding               At the time of our fieldwork, SSA had not yet\n                          completed documenting a business continuity plan for\n                          the FACTS application. Management represented\n                          that appropriate business continuity procedures had\n                          been developed, but this did not include documenting\n                          and distributing to affected staff a list of IT personnel\n                          and users responsible for action during operational\n                          failure. In addition, no documentation was available\n                          confirming that any existing informal procedures had\n                          been kept up to date and adequately tested.\n\n                          Without a formally documented business continuity\n                          plan that is comprehensive, updated regularly, and\n                          periodically tested, management cannot be assured\n                          that necessary FACTS processing can be\n                          accomplished during an emergency.\n\nPwC Recommendation        SSA should expedite completion of a formally\n                          documented business continuity plan for FACTS,\n                          ensuring that it is:\n                          - Sufficiently comprehensive, addressing both short\n                          term and long term interruption to normal processing\n                          and providing for such actions as the preparation and\n                          distribution of a list of IT personnel and users\n                          responsible for action during operational failure;\n                          - Updated regularly; and\n                          - Periodically tested.\n\nSSA Management Response   We agree. Building upon the existing emergency\n                          response procedures for FACTS, SSA will develop a\n                          business continuity plan outlining the accounting\n                          process and responsible personnel in the event of\n                          short and long-term operational failure. We anticipate\n                          preparation of the plan by May 1, 2001.\n\nCross Reference           New\n\nSSA Action Plan           See management response.\n\nCurrent Status per SSA    The business continuity plan for OFPO systems has\n                          been drafted and is undergoing review and revision.\n\n\n                                   A-5\n\x0cSSA Target Date              Ongoing\n\nEnd Date \xe2\x80\x93 OIG Review        3/1/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA developed a business continuity\n                             plan for FACTS in August 2001. However, this plan\n                             needs to be tested before OIG will consider this\n                             recommendation closed. As of the end of our\n                             fieldwork, no dates had been set up for testing.\n\n\n\n\n                                       A-6\n\x0cReport Section/Area       Programmatic Systems \xe2\x80\x93 Title II\n\nFinding/Rec Number        IV.A.1.\n\nPwC Finding               SSA has accepted specified levels of access granted\n                          to individuals in the field as being excessive in order\n                          to provide a high level of customer service.\n                          Compensating controls have been implemented to\n                          control this access such as the integrity review\n                          process. During the FY 2000 audit, PwC noted that\n                          the access granted to supervisors allows them to\n                          initiate and adjudicate claims. This is a separation of\n                          duties weakness that is not compensated for through\n                          inclusion in the integrity review process as required in\n                          SSA\xe2\x80\x99s \xe2\x80\x9cBehind the Scenes\xe2\x80\x9d Policy.\n\nPwC Recommendation        SSA should implement a process that would include\n                          the independent review of initial claims that are also\n                          adjudicated by the same individual, especially if that\n                          individual is performing the duties of a supervisor.\n\nSSA Management Response   We agree and are addressing this issue through an\n                          alternative approach. SSA has a formal systems life\n                          cycle process for the development of all of its\n                          applications. The life cycle integrates security into the\n                          development of each application and ensures that\n                          compensating controls to mitigate opportunity for\n                          fraud are put in place before applications move to\n                          production.\n\n                          The Enumeration process, a crucial first step for\n                          attaining Title II benefits, is subject to variety of\n                          compensating controls that include systems access,\n                          system enforced separation of duties through a 2-PIN\n                          procedure and reviews performed by management,\n                          such as CIRP and the Enumeration Sample Review.\n                          Moreover, Enumeration is also subjected to oversight\n                          by independent organizations, such as OIG, quality\n                          reviews and audit trail tracking.\n\n                          Compensating controls also are incorporated into the\n                          Title II claims initiation and adjudication processes,\n                          significantly reducing opportunity for fraud. Controls\n                          specific to Title II claims processes include the\n                          Integrated Client Data Base, which provides death\n\n\n                                    A-7\n\x0c                             alerts from the Numident. SSA\xe2\x80\x99s claims procedure\n                             requires documentary review and are subjected to\n                             quality assurance reviews. As with Enumeration, Title\n                             II claims are also subjected to the system enforced 2-\n                             PIN procedure. In addition, claims are checked\n                             against the Numident for date of death and are\n                             subjected to integrity reviews and audit tracking.\n\n                             Finally, when implemented, CIRP Release 4 will\n                             provide for a review of claims where an employee\n                             processed an initial enumeration and adjudicated the\n                             same claim. CIRP also ensures an independent\n                             review by preventing an individual from reviewing\n                             actions which they processed.\n\nCross Reference              New\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       Selection criteria is under development jointly by\n                             DCFAM, OISS; DCO, OPSOS; AND DCS, OSA.\n\nSSA Target Date              To be determined.\n\nUpdated Target Date          Complete\n\nEnd Date \xe2\x80\x93 OIG Review        2/12/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             complete. PwC was able to test 19 of 22\n                             compensating controls over initial and adjudicated\n                             claims and determined that these controls are\n                             effective. OIG reviewed PwC\xe2\x80\x99s documentation and\n                             agrees that these controls are effective. In addition,\n                             SSA has scheduled CIRP release 4 for\n                             implementation in June 2003. Therefore, OIG\n                             believes that SSA has taken appropriate steps to\n                             complete work on this recommendation.\n\n\n\n\n                                       A-8\n\x0cReport Section/Area       Programmatic Systems \xe2\x80\x93 Title II\n\nFinding/Rec Number        IV.A.2.\n\nPwC Finding               PwC performed on-line and batch testing of the Title\n                          II application as part of its FY 2000 audit. This testing\n                          included entering transactions in both MCS and\n                          MACADE to ensure adequate editing and data\n                          validation checks were performed to ensure data\n                          integrity and reduce the risk of fraud. As a result of\n                          our work the following situations were identified:\n                          - MCS should have provided (but did not) an alert or\n                             error message when:\n                             - An individual filing for a claim was dead.\n                             - A child was filing for a claim, but was married.\n                             - The date of adoption of a child was after the\n                                numberholder\xe2\x80\x99s date of death.\n\n                          - MACADE should have provided (but did not) an\n                            alert or error message when:\n                             - The sex code is not validated when entering\n                               claim information.\n                             - The Primary Insurance Amount (PIA) is not\n                               validated to ensure that it is <=$3,000.\n\nPwC Recommendation        SSA needs to enhance its edits and data validation\n                          checks for Title II applications, thereby improving data\n                          integrity and reducing the risk of fraud. Additionally,\n                          the batch process should produce alerts for\n                          transactions that are inaccurate or questionable but\n                          have not resulted in a surface, inter-screen or intra-\n                          screen error message being displayed during on-line\n                          data entry.\n\nSSA Management Response   We agree and are evaluating PwC\xe2\x80\x99s findings.\n                          Corrective actions will be incorporated into future Title\n                          II redesign initiatives.\n\nCross Reference           New\n\nSSA Action Plan           See management response.\n\nCurrent Status per SSA    SSA provided PwC with additional information\n                          regarding the MACADE findings and it was agreed\n\n\n\n                                    A-9\n\x0c                             that these situations were valid and no action was\n                             necessary by SSA.\n\n                             Regarding MCS findings, we agree and expect to\n                             schedule changes for a future release.\n\nSSA Target Date              Ongoing\n\nUpdated Target Date          Complete\n\nEnd Date \xe2\x80\x93 OIG Review        1/29/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             complete. PwC was not able to test all MCS edits in\n                             the online environment. However, for the edits that\n                             were tested, PwC found no exceptions. In addition, a\n                             MCS release was completed in September 2001 that\n                             includes corrections made to the edits PwC was not\n                             able to test. PwC was able to test MACADE edits\n                             online with no exceptions. SSA should continue to\n                             ensure that alerts are working correctly in the\n                             situations described in PwC\xe2\x80\x99s finding, as PwC will be\n                             testing these again for FY 2002.\n\n\n\n\n                                       A-10\n\x0cReport Section/Area          Programmatic Systems \xe2\x80\x93 Earnings Record\n                             Maintenance System (ERMS)\n\nFinding/Rec Number           IV.B.1.\n\nPwC Finding                  SSA has developed a key initiative tactical plan and\n                             schedule entitled \xe2\x80\x9cReduce Earnings Suspense File\xe2\x80\x99s\n                             Future Growth and Current Size\xe2\x80\x9d to address the\n                             suspense file and reconciliation issue identified in\n                             1997. This plan, initially drafted in July 1998, is\n                             currently being revisited for changes, which SSA had\n                             hoped to complete by December 1999. During the FY\n                             2000 audit, a contract was awarded to a third party to\n                             provide assistance and guidance in reducing the\n                             suspense file and implement a process that would\n                             maintain future suspense postings at a manageable\n                             level.\n\nPwC Recommendation           SSA should await the results of the contractor\xe2\x80\x99s\n                             efforts on the suspense file project and then use them\n                             to implement a solution to reduce the suspense file\n                             and improve the process for handling future suspense\n                             postings.\n\nSSA Management Response      SSA is still waiting on the contractor\xe2\x80\x99s final report.\n                             When the report is received, SSA will assess the\n                             results and determine what actions are appropriate.\n\nCross Reference              FY99 Management Letter - Part 2, III.2.A; FY98\n                             Management Letter - Part 2, III.3.A; FY97\n                             Management Letter - Part 2, V.3.A.1.\n\nSSA Action Plan              A final action plan will be developed based on the\n                             outcome of the contractor\xe2\x80\x99s efforts.\n\nCurrent Status per SSA       SSA recently received the contractor\xe2\x80\x99s final report and\n                             is in the process of evaluating its findings and\n                             recommendations.\n\nSSA Target Date              To be determined.\n\nEnd Date \xe2\x80\x93 OIG Review        2/25/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA has not yet selected an approach\n\n\n                                       A-11\n\x0coption from the contractor\xe2\x80\x99s final report. The Office of\nQuality Assurance (OQA) is evaluating the report and\nexpects to complete their evaluation by October 31,\n2002.\n\n\n\n\n        A-12\n\x0cReport Section/Area       Programmatic Systems \xe2\x80\x93 Death Alert, Control and\n                          Update System (DACUS)\n\nFinding/Rec Number        IV.D.2.\n\nPwC Finding               As PwC has noted in prior audits, SSA\xe2\x80\x99s current\n                          practice of obtaining death data does not ensure that\n                          this data is entered into DACUS accurately, timely,\n                          and only once. External entities under contract to\n                          SSA to supply death data are paid 60 cents per\n                          transaction. SSA could pay more than once for the\n                          same death data because DACUS contains no edit\n                          routine to identify instances where two or more data\n                          providers submit the same death notice. These data\n                          providers are contractually required to submit death\n                          notices within 3 months of the month of death. The\n                          majority of these entities are still preparing this data\n                          manually prior to transmission, accounting for the\n                          extended time period allowed for data submission.\n                          SSA is moving forward with the implementation of\n                          electronic death certificates to reduce the timeframe\n                          for submission. Upon the completion of the pilot\n                          program for this process, SSA expects to deliver final\n                          contract standards to the states by March 2001 and\n                          to phase in all states over the next five to ten years.\n\nPwC Recommendation        SSA should look for ways to expedite its initiatives for\n                          reducing the amount of time required by outside\n                          sources to submit death notifications, such as use of\n                          the electronic death certificate.\n\nSSA Management Response   We agree. We concur with the recommendation to\n                          explore initiatives to obtain death data more timely\n                          from outside agencies. SSA is providing support for\n                          the Electronic Data Registration (EDR) pilot activities\n                          now being developed by partially funding the States\n                          to develop and implement their electronic systems.\n                          Under EDR, SSA will receive a death report from the\n                          States within 24 hours or within 5 days of the filed\n                          certificate.\n\nCross Reference           FY99 Management Letter - Part 2, III.4.B; FY98\n                          Management Letter - Part 2, III.5.B.\n\nSSA Action Plan           See management response.\n\n\n                                    A-13\n\x0cCurrent Status per SSA       SSA plans to award contracts to some of the States\n                             in September 2001. Under EDR, SSA will receive a\n                             death report from the States within 24 hours or within\n                             5 days of the person\xe2\x80\x99s death. Part of SSA\xe2\x80\x99s\n                             requirement is to obtain a verified SSN at the first\n                             point of collection in the EDR process. For those\n                             verified SSN\xe2\x80\x99s, SSA will take immediate action on\n                             those death reports.\n\n                             DCS recently received from DCDISP two new\n                             Initiative Information Documents outlining a\n                             permanent Internet-based solution and changes that\n                             would designate an EDR as a first priority report.\n                             Meetings/discussions to schedule the Initiative\n                             Information Documents began on July 19, 2001 and\n                             the Plan Chairs for the affected 5 Year Plans are\n                             working to determine timeframes for the planning and\n                             analysis on this project.\n\nSSA Target Date              To be determined.\n\nEnd Date \xe2\x80\x93 OIG Review        1/29/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA has made considerable progress\n                             towards closing this recommendation. It awarded two\n                             contracts to New Hampshire and Washington, D.C. to\n                             begin receiving electronic death reports and plans to\n                             eventually award contracts to all states. In addition,\n                             SSA is planning a pilot for Electronic Death\n                             Registration to begin in August 2002.\n\n\n\n\n                                       A-14\n\x0cReport Section/Area   Programmatic Systems \xe2\x80\x93 Computer Assisted Audit\n                      Techniques\n\nFinding/Rec Number    IV.F.Overview\n\nPwC Finding           Overview\n\n                      Our 2000 work confirmed that data reliability/integrity\n                      weaknesses still exist within SSA\xe2\x80\x99s automated files\n                      and records. While such problems can result from\n                      application change control weaknesses or application\n                      design weaknesses, they can also be the result of\n                      minimal effort made to remove incorrect data\n                      remaining on files after identified software code\n                      weaknesses have been corrected. These data\n                      anomalies could impact future processing or add to\n                      SSA\xe2\x80\x99s workload by requiring extra effort to resolve\n                      incorrect data.\n\n                      We performed selected tests, using audit software, on\n                      some of SSA\xe2\x80\x99s primary data files. This testing was\n                      restricted to the eleventh segment of the Numident,\n                      MBR, and SSR files, and to the 1999 earnings data\n                      posted for persons in that segment. A projected total\n                      for all segments is presented in parenthesis for each\n                      test listed.\n\n                      Although SSA has shown some improvement in this\n                      area, examples of the data integrity weaknesses we\n                      identified during our 2000 testing are discussed\n                      below.\n\nPwC Recommendation    General Recommendations\n\n                      SSA should:\n                      - Analyze its automated databases to identify key\n                      data integrity conditions that should apply within and\n                      across databases.\n                      - Design and implement data integrity checking\n                      programs for the full production databases to identify\n                      the total population of records with potential data\n                      integrity problems.\n                      - Investigate, identify, and rectify the root causes of\n                      data integrity problems.\n\n\n\n\n                              A-15\n\x0c                          - Ensure appropriate automated and manual controls\n                          are in place to prevent problems from recurring,\n                          including periodically running the data integrity\n                          checking programs as a detective control.\n                          - Investigate and correct instances of invalid data on\n                          individual records that may affect payment status.\n                          Refer any suspicious transactions to the OIG for\n                          investigation.\n                          - Improve data administration for systems with regard\n                          to applying consistent definitions and formats for\n                          commonly used data elements.\n\n                          For those instances where the data integrity problems\n                          noted may be the result of historical problems now\n                          prevented by recent SSA modernization efforts, the\n                          agency should ensure that the existence of this data\n                          will not adversely affect the payment status of any\n                          individual.\n\nSSA Management Response   We agree. However, there are no major changes\n                          planned for Client between now and the end of the\n                          calendar year (2001) that would impact this\n                          recommendation. With all available resources\n                          devoted to high priority initiatives in the TII and TXVI\n                          areas, not to mention legislation and Internet, there\n                          are none available to work on Client-related\n                          enhancements.\n\n                          Long-range plans exist to develop the Client system\n                          to strengthen data integrity. Automated database\n                          clean-up efforts, whenever technically feasible, are\n                          included in these plans. One example is the planned\n                          posting of proven dates of birth on the MBR and SSR\n                          to the Numident. This will not only reduce date of birth\n                          discrepancies, but also facilitate future postings of\n                          dates of death since there will be fewer non-match\n                          situations. This activity is currently unscheduled in the\n                          Enumeration/Client 5-Year Plan; resource issues may\n                          or may not impact the originally anticipated\n                          implementation target date of late 2001; we will know\n                          more by March 2001.\n\nSSA Action Plan           See management response.\n\nCurrent Status per SSA    Recent and upcoming Client activity to improve data\n                          integrity and system communication includes:\n\n\n                                  A-16\n\x0c                   \xc2\xb7 With the 9/2001 T2R2.1 release, certain\n                  miscellaneous data corrections coming in through the\n                  MONET system will also update Client and the\n                  Numident. This includes corrections to claimants own\n                  SSN plus changes to DOB, DOB proof and SEX.\n                   \xc2\xb7 Also with the 9/2001 T2R2.1 release, the T2R\n                  batch process will update Client with language\n                  preference changes.\n                   \xc2\xb7 A service request has been submitted to OSDD to\n                  clean up certain data anomalies remaining on Client\n                  after software changes had been incorporated. Due\n                  to higher priority initiatives, OSDD resources have not\n                  yet been available to institute the cleanup activity.\n                   \xc2\xb7 A contractor review of SSA death processing is\n                  currently being done with an eye toward a future\n                  overhaul of such processing. The Client database\n                  and/or screens will be integral to any resulting new\n                  process and will help to enable sharing and integrity\n                  of death data.\n                   \xc2\xb7 Client is slated to play an important role in the\n                  proposed Customer Service Record (CSR) project.\n                  This system also is intended to interface with SSA\'s\n                  application systems and promote data sharing and\n                  hence, greater data integrity.\n\nSSA Target Date   Ongoing\n\nOIG Comment       See Finding/Rec Numbers IV.F.1., IV.F.2., and IV.F.4.\n                  for specific findings, management response, and OIG\n                  conclusions. The Overview is not considered a\n                  separate recommendation by OIG.\n\n\n\n\n                          A-17\n\x0cReport Section/Area       Programmatic Systems \xe2\x80\x93 Computer Assisted Audit\n                          Techniques\n\nFinding/Rec Number        IV.F.1.\n\nPwC Finding               In 1997, a comparison of the MBR and Numident\n                          identified 819 records (projected total 16,380) where\n                          the individual was alive and in a current pay status on\n                          the MBR but listed as dead on the Numident.\n\n                          In 1998, the comparison yielded similar results, with\n                          944 records (projected total 18,880) identified.\n\n                          In 1999, our comparison again yielded similar results,\n                          with 867 records (projected total of 17,340) identified.\n\n                          The 2000 comparison showed a slight improvement,\n                          with a yield of 706 records (projected total of 14,120).\n\nPwC Recommendation        Refer to the General Recommendations in the\n                          Overview above.\n\nSSA Management Response   F.1 and F.2. We agree. In November 2000, we\n                          implemented a DACUS change that will automatically\n                          delete the Numident death posting when a person is\n                          reinstated to benefit status on the MBR and/or SSR\n                          after having been erroneously terminated for death.\n                          The former second input needed to DACUS was the\n                          primary cause of these inconsistencies. We are\n                          currently developing a program to identify all records\n                          on the MBR where payment has been reinstated and\n                          the Numident retains the death information. We will\n                          then delete the erroneous death. We expect to\n                          complete this by March. We will then develop a\n                          similar matching and update for the SSR; we do not\n                          yet have a target date. We expect that this will\n                          eliminate the problem.\n\nCross Reference           FY99 Management Letter - Part 2, III.6.A; FY98\n                          Management Letter - Part 2, III.6.Overview and A.-D.;\n                          FY97 Management Letter - Part 2, III.6.A. and A1. -\n                          A4.\n\nSSA Action Plan           See management response.\n\n\n\n                                    A-18\n\x0cCurrent Status per SSA       Actions to identify MBR records where payment was\n                             reinstated but the Numident retained the death\n                             information was completed for one segment of the\n                             Numident in March 2001. The results of this match\n                             are being analyzed and will be presented to\n                             management. Actions to address SSR/Numident\n                             inconsistencies remain in development.\n\nSSA Target Date              To be determined.\n\nEnd Date \xe2\x80\x93 OIG Review        1/29/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. Progress has been made, as PwC found\n                             only eight discrepant cases after the date of the\n                             DACUS change in the MBR segment it tested. In\n                             addition, SSA now has several projects under way to\n                             help decrease the number of discrepancies\n                             encountered. In the future, PwC plans to address the\n                             cause of these discrepancies in a new\n                             recommendation that is being developed. SSA is still\n                             completing work to manually correct MBR/Numident\n                             discrepancies where the date of death is 1990 or\n                             later.\n\n\n\n\n                                       A-19\n\x0cReport Section/Area       Programmatic Systems \xe2\x80\x93 Computer Assisted Audit\n                          Techniques\n\nFinding/Rec Number        IV.F.2.\n\nPwC Finding               In 1997, a comparison of the SSR and Numident\n                          identified 60 records (projected total 1200) where the\n                          individual was alive and in a current pay status on the\n                          SSR but listed as dead on the Numident.\n\n                          In 1998, the comparison yielded similar results, with\n                          66 records (projected total 1320) being identified.\n\n                          In our 1999 testing we identified 49 (projected total\n                          980) records meeting this test criteria.\n\n                          In 2000, the comparison identified 79 (projected total\n                          of 1580) individuals that were alive and in current pay\n                          status on the SSR, but listed as dead on the\n                          Numident.\n\nPwC Recommendation        Refer to the General Recommendations in the\n                          Overview above.\n\nSSA Management Response   F.1 and F.2. We agree. In November 2000, we\n                          implemented a DACUS change that will automatically\n                          delete the Numident death posting when a person is\n                          reinstated to benefit status on the MBR and/or SSR\n                          after having been erroneously terminated for death.\n                          The former second input needed to DACUS was the\n                          primary cause of these inconsistencies. We are\n                          currently developing a program to identify all records\n                          on the MBR where payment has been reinstated and\n                          the Numident retains the death information. We will\n                          then delete the erroneous death. We expect to\n                          complete this by March. We will then develop a\n                          similar matching and update for the SSR; we do not\n                          yet have a target date. We expect that this will\n                          eliminate the problem.\n\nCross Reference           FY99 Management Letter - Part 2, III.6.B; FY98\n                          Management Letter - Part 2, III.6.Overview and A.-D.;\n                          FY97 Management Letter - Part 2, III.6.A. and A1. -\n                          A4.\n\n\n\n                                    A-20\n\x0cSSA Action Plan              See management response.\n\nCurrent Status per SSA       Actions to identify MBR records where payment was\n                             reinstated but the Numident retained the death\n                             information was completed for one segment of the\n                             Numident in March 2001. The results of this match\n                             are being analyzed and will be presented to\n                             management. Actions to address SSR/Numident\n                             inconsistencies remain in development.\n\nSSA Target Date              To be determined.\n\nEnd Date \xe2\x80\x93 OIG Review        1/29/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. PwC found discrepancies after the date\n                             of the DACUS change in the SSR segment it tested.\n                             SSA now has several projects under way to help\n                             decrease the number of discrepancies encountered.\n                             SSA is still completing work to manually correct\n                             SSR/Numident discrepancies where the date of death\n                             is 1990 or later.\n\n\n\n\n                                       A-21\n\x0cReport Section/Area       Programmatic Systems \xe2\x80\x93 Computer Assisted Audit\n                          Techniques\n\nFinding/Rec Number        IV.F.4.\n\nPwC Finding               In 1997, a comparison of the MBR, SSR, and\n                          Numident identified a large number of corresponding\n                          records with significant differences in dates of birth.\n                          Using a tolerance of >3 years for comparison\n                          purposes, we noted 13,998 differences between the\n                          MBR and the Numident, and 20,254 between the\n                          SSR and Numident.\n\n                          The number of discrepancies improved in 1998;\n                          however, we still identified 6,433 differences between\n                          the MBR and the Numident, and 711 between the\n                          SSR and Numident.\n\n                          In 1999 the numbers improved some more with 6,078\n                          differences between the MBR and the Numident, and\n                          579 between the SSR and Numident.\n\n                          In 2000, the number of records with a date of birth\n                          difference > 3 years between the MBR and the\n                          Numident continued to improve, dropping to 5,389.\n                          However, we also identified 1,041 records with a date\n                          of birth difference > 3 years between the SSR and\n                          Numident, a significant increase over the 1999\n                          results.\n\nPwC Recommendation        Refer to the General Recommendations in the\n                          Overview above.\n\nSSA Management Response   We agree with this recommendation. We continue to\n                          plan to resolve the condition by updating the\n                          Numident with the proven MBR and SSR dates of\n                          birth. However, higher priority workloads continue to\n                          keep this project as Unscheduled in the 5 Year Plan.\n\nCross Reference           FY99 Management Letter - Part 2, III.6.D; FY98\n                          Management Letter - Part 2, III.6.Overview and A.-D.;\n                          FY97 Management Letter - Part 2, III.6.A. and A1. -\n                          A4.\n\nSSA Action Plan           See management response.\n\n\n                                    A-22\n\x0cCurrent Status per SSA       No change.\n\nSSA Target Date              To be determined.\n\nEnd Date \xe2\x80\x93 OIG Review        1/29/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA indicated that there has been no\n                             status change since the last update. Clean up of\n                             discrepant cases is still unscheduled in the 5-Year\n                             Plan.\n\n\n\n\n                                       A-23\n\x0cReport Section/Area       Administrative Systems \xe2\x80\x93 Financial Accounting\n                          System (FACTS)\n\nFinding/Rec Number        V.A.2.\n\nPwC Finding               Past audits determined that additional changes in the\n                          front-end edit criteria are required to reduce the\n                          number of suspense items. Without these changes,\n                          the number of suspense items would grow to a level\n                          that would impair SSA\xe2\x80\x99s ability to clear items in a\n                          timely manner. This, in turn, would increase the risk of\n                          inaccurate data and inflated dollar values in\n                          suspense.\n\n                          SSA implemented four fixes during FY 1999 to\n                          address this issue. During FY 2000 the agency also\n                          implemented a Third Party Draft vendor table in the\n                          field offices that is to reduce the number of rejections\n                          by providing valid EINs that will be used to edit input\n                          prior to transmission to Headquarters.\n\n                          Release 1.1 of the Third Party Draft system has been\n                          received by 1300 field offices. About 435 offices have\n                          already converted to the new system. The field offices\n                          can now update the FACTS vendor tables using a\n                          manual process. Release 2.0, which was expected in\n                          October 2000, will allow a more direct link to the\n                          FACTS vendor tables.\n\n                          At the time of our follow-up work, the implementation\n                          of the Third Party Draft vendor table had little impact\n                          on the volume of suspense transactions. We\n                          acknowledge, however, that this initiative probably\n                          had not been in place long enough to fairly assess its\n                          effectiveness.\n\nPwC Recommendation        SSA should monitor the volume of suspense file\n                          transactions to ensure that the changes in the edit\n                          criteria required to improve suspense processing,\n                          along with the addition of a Third Party Draft vendor\n                          table, meet the expected results of reducing the\n                          number of suspense items.\n\nSSA Management Response   We agree. In mid-December, Release 2.0 of TPPS\n                          occurred with completion of the rollout by early\n\n\n                                   A-24\n\x0c                             February 2001. With TPPS release 2.0, a Vendor\n                             Maintenance Form (VMF) is generated when a new\n                             payee is entered in the payee table. While it is\n                             expected this software release will substantially\n                             reduce the number of TPPS errors, it is too premature\n                             to make that assessment.\n\nCross Reference              FY99 Management Letter - Part 2, IV.1.B; FY98\n                             Management Letter - Part 2, IV.1.B.; FY97\n                             Management Letter - Part 2, V.3.E.\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       Completed\n\nSSA Target Date              Completed\n\nEnd Date \xe2\x80\x93 OIG Review        1/28/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             complete. SSA has improved the processing for third\n                             party draft suspense items and demonstrated that the\n                             number of third party draft suspense errors continues\n                             to be low.\n\n\n\n\n                                       A-25\n\x0cReport Section/Area       Administrative Systems \xe2\x80\x93 Financial Accounting\n                          System (FACTS)\n\nFinding/Rec Number        V.A.3.\n\nPwC Finding               There is a need for more complete tracking and\n                          reporting on the activities related to resolving open\n                          obligations. Past audits identified that open\n                          obligations were not being de-obligated in a timely\n                          manner and de-obligated obligations were not\n                          adequately documented. Consequently, funding\n                          levels may be incorrectly stated, resulting in the\n                          potential for inappropriate use of valuable resources.\n\n                          In FY 1999, SSA implemented procedures to\n                          document liquidated obligations. However, per the\n                          Open Obligation Report, a significant number of long\n                          standing unliquidated obligations remain outstanding,\n                          including numerous obligations from fiscal years\n                          1994, 1995, 1996, and 1997. Open obligations are\n                          not being de-obligated in a timely manner in part\n                          because current procedures do not address the timely\n                          liquidation of obligations.\n\nPwC Recommendation        SSA should enhance current policies and procedures\n                          to ensure that the de-obligation process is operating\n                          effectively and timely. An overall aged balance should\n                          be established as of the end of the fiscal year and all\n                          activities by the Office of Finance should be\n                          accumulated into the monthly Report of Validations to\n                          ensure that management has a complete picture of\n                          the status of open obligations and the activity related\n                          to resolving them.\n\nSSA Management Response   We agree. Additional research demonstrates that\n                          large portions of prior fiscal year open obligations are\n                          Reimbursable Work Authorizations (RWA\'s) with the\n                          General Services Administration (GSA). To that end,\n                          we now receive from GSA an electronic feed of open\n                          RWA\'s to enhance the validation process. In addition,\n                          beginning January 2001, SSA developed an\n                          accounting system query to produce an aging report\n                          for open obligations. This report is produced and\n                          analyzed on a monthly basis.\n\n\n\n                                   A-26\n\x0c                             In addition, based upon our experience of validating\n                             RWA\'s with GSA, we plan to look at other categories\n                             of obligations to improve the validation process.\n\nCross Reference              FY99 Management Letter - Part 2, IV.1.E; FY98\n                             Management Letter - Part 2, IV.1.F.\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       Completed\n\nSSA Target Date              Completed\n\nEnd Date \xe2\x80\x93 OIG Review        3/1/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             complete. PwC found that statistics are being\n                             reported for open obligations acted on and cleared\n                             and that the validation and reduction of open\n                             obligations are being tracked. SSA was able to\n                             provide evidence that it is making definite progress in\n                             validating open obligations. By the end of November\n                             2001, SSA had reviewed all Headquarters\n                             reimbursable work authorizations and all interagency\n                             agreements for FY 1997. However, OIG may revisit\n                             this issue in the future to ensure open obligations\n                             continue to be addressed in a timely manner.\n\n\n\n\n                                      A-27\n\x0cReport Section/Area       Administrative Systems \xe2\x80\x93 Financial Accounting\n                          System (FACTS)\n\nFinding/Rec Number        V.A.5.\n\nPwC Finding               The current FACTS re-certification process used to\n                          validate an individual\xe2\x80\x99s access to the system needs to\n                          be enhanced. Of 39 FACTS user profiles sampled, 12\n                          had access that was not necessary for the\n                          performance of their duties. There were some\n                          indications that access had been retained from a prior\n                          position. The FACTS re-certification process needs to\n                          ensure that access is only granted to those with a\n                          need.\n\nPwC Recommendation        SSA should enhance their current re-certification\n                          process by implementing the following:\n                          - A standard profile for each position requiring access\n                          to FACTS and a requirement that access be\n                          requested in terms of the standard profile.\n                          - A re-certification listing showing the access of each\n                          person and a requirement that each supervisor justify\n                          access that is not consistent with the standard profile.\n\nSSA Management Response   We agree. SSA has begun to develop standard\n                          profiles for each position that accesses FACTS. In\n                          addition, a re-certification listing will be developed as\n                          described in the recommendation.\n\nCross Reference           New\n\nSSA Action Plan           See management response.\n\nCurrent Status per SSA    FACTS Standard Profiles are near completion. Once\n                          complete, a recertification of the profiles will occur\n                          and is targeted for 8/31/01.\n\nSSA Target Date           August 31, 2001\n\nEnd Date \xe2\x80\x93 OIG Review     2/28/02\n\n\n\n\n                                    A-28\n\x0cOIG Confirmation of Status   Disagree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA has created standard profiles for all\n                             of the FACTS users. However, as of April 5, 2002 a\n                             re-certification had not been completed. It is\n                             important that the re-certification process is\n                             completed to ensure that the level of access currently\n                             held by FACTS users matches their standard profiles.\n\n\n\n\n                                     A-29\n\x0cReport Section/Area       Other \xe2\x80\x93 Title 2/Title 16 Issues\n\nFinding/Rec Number        VI.A.1.\n\nPwC Finding               SSA has established preventive and detective\n                          controls to ensure accurate payments to\n                          beneficiaries. Two of the main detective controls are\n                          the Index of Dollar Accuracy (IDA) review and the\n                          Stewardship review. Through these reviews, SSA\n                          successfully confirms the accuracy, and in certain\n                          cases, the inaccuracy of benefit payments. When\n                          payment discrepancies are identified, the appropriate\n                          Program Service Center (PSC) or Field Office (FO) is\n                          notified to follow-up on the matter. Our testing\n                          confirmed that these notifications were being sent.\n                          However, our testing also indicated that the\n                          PSCs/FOs inconsistently resolve these payment\n                          discrepancies. Furthermore, we noted current SSA\n                          policy does not provide a mechanism to reasonably\n                          assure that the noted discrepancies are ultimately\n                          resolved by the PSCs/FOs.\n\nPwC Recommendation        We recommend that SSA update its current policies\n                          related to the IDA and Stewardship reviews to provide\n                          a means of ensuring that all payment discrepancies\n                          noted during these reviews are resolved by the\n                          PSCs/FOs in a timely manner.\n\nSSA Management Response   We agree. Existing Quality Review Manual (Title II)\n                          and Quality Review Manual System (Title XVI)\n                          procedures call for the quality reviewers to obtain\n                          master beneficiary/supplemental security record\n                          queries 30 days after sending a payment error\n                          feedback report to the PSCs/FOs to determine if the\n                          corrections have been made. If the corrections have\n                          not been made, the reviewers are to follow up with\n                          PSC/FO. If there is no response to the followup\n                          request in 15 days, the Regional Director for Quality\n                          Assurance and Performance Assessment (ROQA) is\n                          to request the assistance of the Assistant Regional\n                          Commissioner for Management, Operations and\n                          Systems to have the PSC or FO correct the case.\n                          These procedures can also be found in POMS (the\n                          Title XVI procedure in DG 16590.040 and the Title II\n                          procedure in DG 16073.047). We believe that the\n\n\n                                    A-30\n\x0c                             procedures are adequate for ensuring that payment\n                             errors are corrected; however, these procedures have\n                             not been followed in all instances. We are sending a\n                             reminder to all ROQA directors emphasizing the\n                             importance of closely following the established QRM\n                             and QRMS procedures for ensuring that payment\n                             errors are corrected by the PSCs and FOs.\n\nCross Reference              New\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       In January 2001, a reminder was sent to all ROQA\n                             Directors emphasizing the importance of closely\n                             following the established QRM and QRMS\n                             procedures for ensuring that payment errors are\n                             corrected by the PSCs and FOs.\n\nSSA Target Date              Completed\n\nEnd Date \xe2\x80\x93 OIG Review        3/1/02\n\nOIG Confirmation of Status    Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             complete. In FY 2001, no cases were found where\n                             OQA failed to ensure that the PSC or FO corrected a\n                             payment error found by OQA. In addition, OQA has\n                             instituted periodic monitoring of ROQA adherence to\n                             Quality Review Manual and Quality Review Manual\n                             System procedures regarding correction of payment\n                             errors.\n\n\n\n\n                                      A-31\n\x0cReport Section/Area       Other \xe2\x80\x93 Title 2/Title 16 Issues\n\nFinding/Rec Number        VI.A.6.\n\nPwC Finding               Individuals incarcerated are generally ineligible for\n                          Title II and Title XVI benefits. One of the tools SSA\n                          uses to identify incarcerated recipients is the Prisoner\n                          Update Processing System (PUPS). During our audit,\n                          we sampled information from the PUPS and\n                          compared it against information in the SSR to\n                          determine whether SSI payments were appropriately\n                          suspended when an individual was incarcerated.\n                          During our testing, we noted several instances when\n                          no release date was recorded in the PUPS database\n                          for incarcerated individuals even though they were in\n                          current pay status on the SSR. POMS section SI\n                          02310.076 requires that the PUPS database be\n                          updated with the release date and the effective date\n                          of reinstatement if an individual meets the condition\n                          for reinstatement. However, it appears that SSA\n                          employees in the Field Offices are not updating the\n                          PUPS in all instances. Failure to appropriately update\n                          both the PUPS and SSR could result in improper\n                          payments being made to SSI recipients.\n\nPwC Recommendation        We recommend that SSA enforce its requirement that\n                          the PUPS database be updated with the release date\n                          and effective date of reinstatement if an individual\n                          meets the condition for reinstatement. We also\n                          recommend that SSA run logic queries between the\n                          PUPS database and the SSR to identify individuals\n                          who should be ineligible for payment based on\n                          information in the PUPS database.\n\nSSA Management Response   We agree. The system allows for the collection of the\n                          data mentioned. We will continue to monitor technical\n                          compliance.\n\n                          In regard to running logic queries between PUPS\n                          database and the SSR, it should be mentioned that\n                          the SSR Online Query already presents an alert if the\n                          record is also on the PUPS database.\n\n                          Also, OQA is scheduled to conduct another review of\n                          prisoner processing in Fiscal Year 2001 and will\n\n\n                                    A-32\n\x0c                             advise Operations of any processing deficiencies they\n                             find. Additional training will be provided on any\n                             problem areas identified by OQA.\n\nCross Reference              FY99 Management Letter - Part 2, V.12; FY98\n                             Management Letter - Part 2, V.R.\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       DCO will continue to monitor for technical\n                             compliance. DCO will also submit a request to the\n                             Office of Systems to create a semi-annual compare\n                             operation to check the PUPS data base for release\n                             dates on all reinstatements following Prisoner\n                             suspension and to generate alerts for FO resolution.\n\n                             OQA is planning to conduct a followup review of\n                             prisoner alert development in calendar 2001. Results\n                             of the review, expected late in FY 2002, will be\n                             shared with Operations. Additional training will be\n                             provided on any problem areas identified by OQA.\n\nSSA Target Date              Late FY 2002.\n\nEnd Date \xe2\x80\x93 OIG Review        1/24/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. The Office of Systems will not be able to\n                             create a semi-annual compare operation to check\n                             PUPS for release dates on all reinstated benefit\n                             claims following Prisoner suspension. Based on our\n                             discussions with SSA, an analysis was performed and\n                             the semi-annual compare operation is not a feasible\n                             solution to the issue reported by PwC. In addition,\n                             the review of prisoner alert development has not yet\n                             begun. Based on the delays SSA is encountering\n                             during their work, the target date of \xe2\x80\x9cLate 2002\xe2\x80\x9d no\n                             longer appears to be reasonable.\n\n\n\n\n                                       A-33\n\x0cReport Section/Area       Other \xe2\x80\x93 Title 2/Title 16 Issues\n\nFinding/Rec Number        VI.A.8.\n\nPwC Finding               During previous audits, we noted that the four\n                          balancing reports generated from the Time Share\n                          Option (TSO) system by the Division of Benefit\n                          Certification Branch (DBCA) indicated an out-of-\n                          balance condition. During fiscal year 2000, SSA reset\n                          the balances on the Group Totals report and\n                          temporarily the reports balanced. However, because\n                          the exact cause of the out-of-balance condition was\n                          not determined, the reports currently indicate a\n                          continued out-of-balance condition at September 30,\n                          2000. Specifically, the Group Totals report indicated\n                          that 11,275 fewer payments totaling $4,012,972.99,\n                          were made than payments reported on the other\n                          three reports. DBCA believes that they have identified\n                          the reason for this out-of-balance condition. Our\n                          review disclosed that SSA created a task group to\n                          identify the cause of and solution to the out-of-\n                          balance condition, but actions to fully resolve this\n                          matter have not been taken. Failing to properly\n                          balance the reports from the TSO system could\n                          cause inaccurate payments to be made to recipients.\n\nPwC Recommendation        SSA should continue its efforts to identify the exact\n                          cause for this out-of-balance condition, modify the\n                          system as needed, so out-of-balance conditions are\n                          reconciled in a timely manner.\n\nSSA Management Response   We agree. Currently we have formed a cross-\n                          functional workgroup and are in the Planning and\n                          Analysis (P&A) stage of evaluating the problem. P&A\n                          should be completed in March 2001. Since Group\n                          Totals do not produce any transactions, only\n                          summary totals, it has been impossible to perform the\n                          type of reconciliation recommended when an out-of-\n                          balance condition exists. A record-level database\n                          needs to be established to perform this validation.\n                          Evaluation of the various options the Office of\n                          Systems may need to pursue (e.g., possibly a rewrite\n                          of the entire system) based on the workgroup\'s\n                          recommendation will occur after P&A is completed.\n\n\n\n                                    A-34\n\x0cCross Reference              FY99 Management Letter - Part 2, V.7; FY98\n                             Management Letter - Part 2, V.H.; FY97 Management\n                             Letter - Part 2, V.2.G.\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       DBCA formed a cross-functional workgroup to\n                             evaluate the problem. While in the Planning and\n                             Analysis (P&A) stage the group was temporarily\n                             suspended in January 2001 because the Office of\n                             Systems Design and Development (OSDD) was\n                             forced to allocate its resources to a Modernized\n                             Overpayment/Underpayment Reporting System\n                             (MOURS)-related project.\n\nSSA Target Date              To be determined\n\nEnd Date \xe2\x80\x93 OIG Review        1/10/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA has submitted an IT proposal to\n                             correct the out-of-balance condition for the SSI\n                             payment files. Corrections are still needed for other\n                             files that feed into the Group Totals report.\n\n\n\n\n                                       A-35\n\x0cReport Section/Area   Other \xe2\x80\x93 Title 2/Title 16 Issues\n\nFinding/Rec Number    VI.A.10.\n\nPwC Finding           During our testing of the Index of Dollar Accuracy\n                      (IDA) and Stewardship reviews performed by the\n                      Office of Quality Assurance (OQA) we noted the\n                      following weaknesses which impair the effectiveness\n                      of the reviews.\n                      - OQA needs to update its RSDI Quality Review\n                      Manual (QRM) to include detailed guidance related to\n                      performing Index of Dollar Accuracy (IDA) and\n                      Stewardship reviews. During our testing we noted that\n                      the lack of detailed guidance has resulted in\n                      inconsistencies among regions in the way that the\n                      reviews are performed.\n                      - OQA needs to update the QRM to include new\n                      existing policies and procedures. During our testing\n                      we noted that the QRM does not include the new\n                      policies and procedures regarding the use of the\n                      SSA-2930, RSI/DI Quality Review Case Analysis \xe2\x80\x93\n                      Sampled Number Holder or the SSA 2931, RSI/DI\n                      Quality Review Case Analysis \xe2\x80\x93 Auxiliaries/Survivors.\n                      In addition, our testing disclosed several instances\n                      where OQA reviewers improperly excluding cases\n                      from review based on the existence of the \xe2\x80\x9cdual\n                      entitlement stratum\xe2\x80\x9d, which has not been in place\n                      since FY 1996.\n                      - OQA does not have written policies or procedures\n                      in place to reasonably assure that cases are excluded\n                      from the IDA and Stewardship reviews based on valid\n                      programmatic/business reasons. During our audit we\n                      noted several instances where OQA reviewers\n                      improperly excluded sample items from review. The\n                      lack of such policies and procedures increases the\n                      risk that errors could go undetected because sample\n                      items were improperly excluded from testing.\n\nPwC Recommendation    We recommend that SSA update the RSDI QRM to\n                      reflect current policies and procedures and to include\n                      detailed guidance for performing IDA and\n                      Stewardship reviews. We further recommend that\n                      SSA establish and implement written policies and\n                      procedures to reasonably assure the propriety of IDA\n                      and Stewardship cases excluded from review.\n\n\n                                 A-36\n\x0cSSA Management Response       We agree. To the extent possible, exclusion criteria\n                             are written into the Automated Sample Selection\n                             Process (ASSP). Where manual exclusions occur,\n                             they are made in accordance with established\n                             guidelines. Should situations outside the guidelines\n                             occur, regional staffs consult with central office before\n                             excluding a case.\n\nCross Reference              FY99 Management Letter - Part 2, V.2; Various.\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       The current effort to replace the IDA reviews with a\n                             transaction analysis review procedure to make the\n                             process a more useful tool for Operations to improve\n                             accuracy has deferred our plans to completely\n                             overhaul the QRM procedures. Instead of a complete\n                             overhaul, we are now planning a QRM release to\n                             cover key changes, once the revised transaction\n                             review procedures are finalized after testing and\n                             piloting. The planned QRM release is not expected\n                             before mid to late FY 2002.\n\nSSA Target Date              Late FY 2002\n\nEnd Date \xe2\x80\x93 OIG Review        2/7/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. The transaction analysis review to\n                             replace IDA reviews was approved by Acting\n                             Commissioner Massanari. SSA still plans to have a\n                             QRM release covering key procedural changes\n                             completed during FY 2002.\n\n\n\n\n                                      A-37\n\x0cReport Section/Area       Other \xe2\x80\x93 Title 2/Title 16 Issues\n\nFinding/Rec Number        VI.A.15.\n\nPwC Finding               During our overall review of the Continuing Disability\n                          Review (CDR) process that was in place in FY 2000,\n                          and more specifically the CDR profiling and scoring\n                          process, we noted that the Office of Disability did not\n                          maintain full documentation of the CDR process or of\n                          the input data sets and variables used in fitting the\n                          prediction models. Without this documentation, the\n                          CDR profiling and scoring programs are at risk of not\n                          having sufficient information available for review\n                          which would support the profile scores and the overall\n                          program. In addition, we noted that the CDR profiling\n                          program is continually under development without\n                          version control procedures and without detailed\n                          cataloging and comparison of results based on the\n                          difference variables used in the different models.\n\nPwC Recommendation        We recommend that SSA maintain documentation on\n                          all aspects of the CDR process, in addition to the\n                          profiling and the scoring programs, including input\n                          data sets and all variables used as candidates in the\n                          prediction models.\n\n                          It is our understanding that SSA recently entered into\n                          a contract with an outside vendor to assist them with\n                          this effort, thus we recommend that SSA continue the\n                          implementation of this effort. We also recommend\n                          that since profiling validation activities are ongoing,\n                          version control also should be implemented. SSA\n                          should also consider establishing a fixed schedule for\n                          developmental analysis and algorithm updates. Final\n                          study results should be catalogued, including the data\n                          sets used to define the algorithms actually used to\n                          establish the models.\n\nSSA Management Response   We agree that documentation of the profiling and\n                          scoring process could be more complete and note\n                          that we have already begun developing version\n                          control methodology, which we plan to implement in\n                          FY \'01. We also plan to transfer the development of\n                          profiling models to the PC environment during FY \'01.\n                          This will simplify the archiving procedure and satisfy\n\n\n                                     A-38\n\x0c                             the recommendation made in this area. With regard\n                             to the recommendation to consider establishing a\n                             fixed schedule for developmental analysis and\n                             algorithm updates, we do not believe this is practical,\n                             at least, at this time. Currently, we adjust and refine\n                             our scoring model to accommodate significant\n                             legislative, policy, or procedural changes, as they\n                             occur. We believe this approach is a better use of our\n                             limited resources. Lastly, it should be noted that it has\n                             always been our practice to retain the data sets used\n                             to define the algorithms used in our profiling models\n                             and that, beginning in FY 2000, we increased the\n                             retention period to three years. We believe our\n                             current retention system provides adequate\n                             documentation of the changes and enhancements to\n                             our profiling models without adding an unnecessary\n                             burden to the process.\n\nCross Reference              FY99 Management Letter - Part 2, V.13.\n\nSSA Action Plan              Develop version control methodology for profiling and\n                             scoring process.\n                             Transfer development of profiling models to PC\n                             environment.\n                             Retain data sets used to define algorithms in profiling\n                             for 3 years.\n\nCurrent Status per SSA       Data set retention for 3 years \xe2\x80\x93 completed.\n                             Remainder \xe2\x80\x93 in progress.\n\nSSA Target Date              September 2001\n\nEnd Date \xe2\x80\x93 OIG Review        2/26/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             complete. Through the new profiling system, SSA\n                             has ensured that documentation is maintained on all\n                             aspects of the CDR process. SSA also confirmed its\n                             intention to maintain data sets for a minimum of 3\n                             years.\n\n\n\n\n                                       A-39\n\x0cReport Section/Area       Other - Revenue\n\nFinding/Rec Number        VI.B.1.\n\nPwC Finding               Prior to SSA\xe2\x80\x99s final wage certification, the Department\n                          of Treasury is responsible for transferring estimated\n                          amounts for employment taxes collected to the SSA\n                          trust funds. These transfers are made based on\n                          revenue estimations completed by SSA\xe2\x80\x99s Office of the\n                          Chief Actuary (OCACT). SSA and Treasury have\n                          never formally documented the responsibilities of\n                          each party involved in this process, nor documented\n                          the course of action which would be followed should a\n                          dispute arise concerning the transfer of funds from\n                          Treasury to the SSA Trust Funds. Because this\n                          process has not been documented, disputes between\n                          the two parties could delay the transfers should an\n                          error or dispute ever arise. SSA has documented its\n                          own procedures of estimating and certifying the\n                          wages in its Accounting Manual, however the\n                          responsibilities of each party involved in this process\n                          have not been documented, nor has a dispute\n                          resolution process been documented.\n\nPwC Recommendation        We recommend that SSA clearly document the\n                          process which should be followed regarding possible\n                          disputes with Treasury and determine that Treasury is\n                          in agreement with all aspects of SSA\xe2\x80\x99s procedures of\n                          estimating the tax revenues and for resolving\n                          discrepancies.\n\nSSA Management Response   We agree with modification. On December 15, 2000,\n                          the Department of the Treasury released a review of\n                          its duties and responsibilities in the administration of\n                          trust funds and other government accounts with\n                          investment authority (or investment funds). The report\n                          contains several recommendations one of which is to\n                          clearly define Treasury and program agency roles\n                          and responsibilities for investment fund management\n                          through standardized agreements. These standard\n                          agreements will define policies and procedures and\n                          allocation of roles and responsibilities. Where\n                          needed, the agreements will be customized. Treasury\n                          plans to initially develop these agreements in the next\n                          6-9 months with 5 Federal agencies, including SSA.\n\n\n                                    A-40\n\x0c                             The procedures developed by SSA to document the\n                             roles and responsibilities for estimating the transfer of\n                             collected employment taxes to the SSA trust funds\n                             will be incorporated into the agreement with Treasury.\n\nCross Reference              FY99 Management Letter - Part 2, V.3; FY98\n                             Management Letter - Part 2, V.D.; FY97 Management\n                             Letter - Part 2, V.2.I.\n\nSSA Action Plan              See management response.\n\nCurrent Status per SSA       These procedures are currently being modified to the\n                             SSA intra-net publication process. Expected release\n                             is 8/31/01.\n\nSSA Target Date              August 31, 2001\n\nEnd Date \xe2\x80\x93 OIG Review        3/1/02\n\nOIG Confirmation of Status   Agree. SSA did issue its accounting manual chapter,\n                             however Treasury has not yet established a\n                             Memorandum of Understanding (MOU) with SSA.\n                             This was scheduled to take place sometime during\n                             FY 2002, but had not occurred as of the end of our\n                             fieldwork. SSA believes the finding should be closed.\n                             OIG agrees that SSA has completed all work that it\n                             can at this time and can close this finding. We\n                             encourage SSA to monitor Treasury\xe2\x80\x99s actions to\n                             formalize the MOU.\n\nReport Section/Area          Other - Revenue\n\nFinding/Rec Number           VI.B.2.\n\nPwC Finding                  The majority of revenue recognized by SSA and\n                             transferred to the Trust Funds, relates to employment\n                             tax revenue which is estimated by the Office of the\n                             Chief Actuary. Previously, we have noted that system\n                             documentation for the two estimation models used by\n                             OCACT, the REVEARN and MODEEM models, was\n                             lacking. We also noted that individuals within OCACT\n                             had not been sufficiently cross-trained to allow for\n                             succession planning. During our current audit, we\n                             noted that OCACT has taken several steps to train\n                             individuals to run both estimation models. However,\n\n\n                                       A-41\n\x0c                             as required by the Office of Management and Budget,\n                             systems documentation regarding these two models\n                             and cross-checks to ensure estimation constancy\n                             have not been formally documented.\n\nPwC Recommendation           We recommend that OCACT document these models\n                             in accordance with OMB Circulars A-123 and OMB\n                             Circular A-127, including the use of cross-checks to\n                             ensure model constancy.\n\nSSA Management Response      We agree. However, although we agree that\n                             additional documentation may be desirable, we\n                             cannot implement the recommendation at this time\n                             due to higher priority work. Our highest priority is to\n                             our basic mission to produce cost estimates of the\n                             present-law and proposed OASDI programs. This\n                             requires us to commit our resources to performing\n                             and documenting data analyses, and maintaining and\n                             updating the computer models used to produce these\n                             estimates. While the additional documentation may\n                             be valuable for the purpose of informing external\n                             groups, current documentation has been satisfactory\n                             for internal use in producing high-quality cost\n                             estimates.\n\nCross Reference              FY99 Management Letter - Part 2, V.8 and V.14;\n                             FY98 Management Letter - Part 2, V.I.; FY97\n                             Management Letter - Part 2, VI.A1 and A2.\n\nSSA Action Plan              On May 3, 2001 SSA provided documentation to the\n                             auditors that we believe should close this\n                             recommendation.\n\nCurrent Status per SSA       While the documentation may not be exactly what the\n                             auditors recommended, we believe it is the\n                             documentation appropriate for SSA processes.\n\nSSA Target Date              Completed\n\nEnd Date \xe2\x80\x93 OIG Review        2/25/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             complete. SSA provided sufficient documentation to\n                             PwC for the REVEARN and MODEEM models. In\n                             addition, OCACT now has plans in place to update\n                             model documentation every year. OCACT also plans\n\n\n                                       A-42\n\x0cto train a second individual on the REVEARN model\nduring 2002. OCACT should ensure that these items\nare completed as planned, as PwC will review this\nissue again during the FY 2002 financial statement\naudit.\n\n\n\n\n       A-43\n\x0cReport Section/Area       Other \xe2\x80\x93 Financial Reporting\n\nFinding/Rec Number        VI.C.2.\n\nPwC Finding               The Office of Finance lacks a formal set of\n                          documented policies and procedures regarding the\n                          accounting treatment for transactions processed\n                          through the Limitation on Administrative Expenses\n                          (LAE) fund. Informal policies have been developed\n                          over the years, but a comprehensive document\n                          outlining the budgetary and proprietary aspects of this\n                          program, along with the allocation of expenses, and\n                          reporting requirements has not been completed.\n                          During the audit, we noted that for financial reporting\n                          purposes, SSA applies a series of one-sided\n                          adjustments to financing sources and cumulative\n                          results of operations on the program-level Balance\n                          Sheets and Statements of Changes in Net Position\n                          and establishes intra-agency payables/receivables to\n                          counteract the effect of uneven LAE allocations. We\n                          believe that these adjustments, along with other\n                          adjustments made to correct previous errors related\n                          to LAE are necessary due to the fact that SSA has\n                          not developed a formal set of policies and procedures\n                          for processing, allocating, and reporting LAE\n                          transactions.\n\nPwC Recommendation        We recommend that SSA develop and document a\n                          comprehensive set of policies and procedures\n                          regarding the LAE program. These policies and\n                          procedures should outline how LAE transactions are\n                          to be processed, allocated, and reported. This\n                          document should address budgetary as well as\n                          proprietary issues, and should be used as a reference\n                          tool to reasonably assure that LAE transactions are\n                          handled appropriately.\n\nSSA Management Response   We agree. SSA plans to complete the documentation\n                          of the LAE program by March 30, 2001.\n\nCross Reference           New\n\nSSA Action Plan           See management response.\n\n\n\n\n                                    A-44\n\x0cCurrent Status per SSA       The procedures to document accounting for LAE are\n                             undergoing review. Target completion date is\n                             8/31/01.\n\nSSA Target Date              August 31, 2001\n\nEnd Date \xe2\x80\x93 OIG Review        1/30/02\n\nOIG Confirmation of Status   Disagree. SSA\xe2\x80\x99s work on this recommendation was\n                             incomplete. SSA drafted LAE Accounting and\n                             Reporting procedures in August 2001. SSA recently\n                             revised the draft procedures, but has not completed\n                             this effort as of the end of our fieldwork.\n\n\n\n\n                                       A-45\n\x0cReport Section/Area       Other \xe2\x80\x93 Financial Reporting\n\nFinding/Rec Number        VI.C.7.\n\nPwC Finding               The Debt Collection and Improvement Act (DCIA) of\n                          1996 authorizes SSA to use several additional\n                          procedures to collect Title II overpayments, if the\n                          overpayments are not remitted to SSA within a\n                          specified timeframe. In previous management\n                          recommendation letters, we have noted that SSA\n                          currently is not using several of the procedures\n                          outlined in the DCIA. However, we also noted that\n                          SSA is currently working on several systems\n                          initiatives which will allow the Agency to track and re-\n                          coup overpayments more effectively and to assess\n                          various penalties outlined in the DCIA. Most of these\n                          improvements are scheduled for implementation\n                          during the next 12 \xe2\x80\x93 24 months.\n\nPwC Recommendation        We recommend that SSA continue its plans to\n                          implement policies and procedures to assess\n                          penalties when needed, efficiently track amounts due\n                          to SSA, and finally to fully collect amounts due to\n                          SSA.\n\nSSA Management Response   We agree. SSA is currently developing the two debt\n                          collection tools with the highest expected debt\n                          collection payoffs. The two tools are Cross Program\n                          Recovery, or the collection of a Title XVI debt from\n                          any Title II benefits payable to the debtor, and\n                          Administrative Wage Garnishment, which is the\n                          collection of a delinquent debt from the wages of the\n                          debtor. Cross Program Recovery was authorized by a\n                          different legislation than DCIA, and SSA estimates\n                          that it will yield $115 million in collections over 5\n                          years. Implementation is scheduled for March 2001.\n                          SSA is also engaged in developing administrative\n                          wage garnishment, and has completed the required\n                          planning and analysis. Implementation is scheduled\n                          for 2001.\n\n                          In the year 2000 SSA also developed the expansion\n                          of our existing credit bureau reporting and\n                          administrative offset programs to include Title XVI\n                          debts (which was authorized by the Foster Care\n\n\n\n                                    A-46\n\x0c                         Independence Act of 1999). These tools will also be\n                         implemented in March 2001.\n\n                         All other debt collection tools (Federal salary offset,\n                         private collection agencies and interest charging) will\n                         be developed in turn.\n\n                         In addition, we have one comment regarding the\n                         wording of PwC\'s Finding on item V1.C.7. The third\n                         sentence (beginning with the words "However, we\n                         also. . .") should be changed as follows: \xe2\x80\x9cHowever,\n                         we also noted that SSA is currently working on\n                         several systems initiatives which will allow the Agency\n                         to collect overpayments more effectively.\xe2\x80\x9d\n\nCross Reference          FY99 Management Letter - Part 2, V.9; FY98\n                         Management Letter - Part 2, V.M.; FY97 Management\n                         Letter - Part 2, VI.B.\n\nSSA Action Plan          See management response.\n\nCurrent Status per SSA   Currently, SSA has three title XVI projects that are\n                         fully developed and two are in active development.\n                         The three fully developed projects are Cross-Program\n                         Recovery, Administrative Offset and Credit Bureau\n                         Reporting.\n\n                         Cross-Program Recovery is the collection of a Title\n                         XVI debt from any Title II benefits payable to the\n                         debtor. Cross-Program Recovery was authorized by\n                         a different legislation than DCIA, and SSA estimates\n                         that it will yield $115 million in collections over 5\n                         years. In the year 2000 SSA also developed the\n                         expansion of our existing administrative offset and\n                         credit bureau reporting programs to include Title XVI\n                         debts (which was authorized by the Foster Care\n                         Independence Act of 1999). These new tools will be\n                         implemented after the final regulations are published.\n\n                         Two debt collections tools are in active development.\n                         Administrative Wage Garnishment (AWG), which is\n                         the collection of a delinquent debt from the wages of\n                         the debtor, is in the development stage and the\n                         Notice of Proposed Rule Making for AWG has been\n                         written. SSA is also developing Federal Salary\n                         Offset.\n\n\n                                 A-47\n\x0c                             Development of the remaining tools, Interest\n                             Charging and the use of Collection Agencies, will\n                             begin upon the completion of the activities currently\n                             underway. The use of these tools will enhance SSA\'s\n                             ability to collect delinquent debt in the future.\n\nSSA Target Date              Ongoing\n\nEnd Date \xe2\x80\x93 OIG Review        2/8/02\n\nOIG Confirmation of Status   Agree. SSA\xe2\x80\x99s work on this recommendation is\n                             incomplete. SSA implemented three new debt\n                             collection tools at the end of February 2002 \xe2\x80\x93\n                             administrative offset and credit bureau reporting for\n                             Title XVI overpayments and the Cross-Program\n                             Recovery to collect Title XVI overpayments from the\n                             debtor\xe2\x80\x99s Title II benefits. The other tools continue to\n                             be worked on.\n\n\n\n\n                                      A-48\n\x0c                                                         Appendix B\n\nTable of Acronyms\nASSP       Automated Sample Selection Process\nAWG        Administrative Wage Garnishment\nCDR        Continuing Disability Review\nCIRP       Comprehensive Integrity Review Process\nCSR        Customer Service Record\nDACUS      Death Alert, Control and Update System\nDBCA       Division of Benefit Certification Branch\nDCDISP     Deputy Commissioner for Disability and Income Security Programs\nDCFAM      Deputy Commissioner for Finance, Assessment and Management\nDCIA       Debt Collection Improvement Act\nDCO        Deputy Commissioner for Operations\nDCS        Deputy Commissioner for Systems\nDI         Disability Insurance\nDOB        Date of Birth\nEDR        Electronic Death Registration\nEIN        Employer Identification Number\nERMS       Earnings Record Maintenance System\nFACTS      Financial Accounting System\nFO         Field Office\nFY         Fiscal Year\nGSA        General Services Administration\nIDA        Index of Dollar Accuracy\nIT         Information Technology\nLAE        Limitation on Administrative Expenses\nMACADE     MADCAP Direct Data Entry\nMADCAP     Manual Adjustment Credit and Award Process\nMBR        Master Beneficiary Record\nMCS        Modernized Claims System\nMONET      Miscellaneous Online Edited Transaction\nMOURS      Modernized Overpayment/Underpayment Reporting System\nNUMIDENT   A query using the SSN to obtain the name of the number\xe2\x80\x99s owner\nOASDI      Old Age, Survivors and Disability Insurance\nOCACT      Office of the Chief Actuary\nOFPO       Office of Financial Policy and Operations\nOISS       Office of Information Systems Security\nOMB        Office of Management and Budget\nOPSOS      Office of Public Services and Operations Support\nOIG        Office of the Inspector General\n\n\n                               B-1\n\x0cOSA     Office of Systems Analysis\nOQA     Office of Quality Assurance\nOSDD    Office of Systems Design and Development\nP&A     Planning and Analysis\nPC      Personal Computer\nPIA     Primary Insurance Amount\nPIN     Personal Identification Number\nPOMS    Program Operations Manual System\nPSC     Program Service Center\nPUPS    Prisoner Update Processing System\nPwC     PricewaterhouseCoopers LLP\nQA      Quality Assurance\nQRM     Quality Review Manual\nQRMS    Quality Review Manual System\nROQA    Regional Office of Quality Assurance and Performance\n        Assessment\nRSDI    Retirement and Survivors Disability Insurance\nRSI     Retirement Survivors Insurance\nRWA     Reimbursable Work Authorization\nSRCOL   System Release Certification Online\nSSA     Social Security Administration\nSSI     Supplemental Security Income\nSSN     Social Security Number\nSSR     Supplemental Security Record\nTII     Title II of the Social Security Act\nTPPS    Third Party Payment System\nTSO     Time Share Option\nTXVI    Title XVI of the Social Security Act\nVMF     Vendor Maintenance Form\n\n\n\n\n                            B-2\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      September 4, 2002                                                      Refer To:   S1J-3\n\nTo:        James G. Huse, Jr.\n           Inspector General\n\nFrom:      Larry Dye /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cStatus of the Social Security\n           Administration\xe2\x80\x99s Implementation of Fiscal Year 2000 Management Letter Issues\xe2\x80\x9d\n           (A-15-02-12046)\xe2\x80\x94INFORMATION\n\n\n           We appreciate the OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the report are\n           attached.\n\n           Staff questions can be referred to Mark Welch on extension 50374.\n\n           Attachment:\n           SSA Comments\n\n\n\n\n                                                          C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S (OIG) DRAFT\nREPORT, \xe2\x80\x9cSTATUS OF THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x99S\nIMPLEMENTATION OF FISCAL YEAR 2000 MANAGEMENT LETTER ISSUES\xe2\x80\x9d\n(A-15-02-12046)\n\nThank you for performing this review of Social Security Administration (SSA) actions to resolve\nissues presented in prior PricewaterhouseCoopers LLP (PwC) reports relating to SSA\nmanagement controls and operations. The annual PwC audit of our financial statements is an\nimportant component in the overall management of the programs administered by SSA, and we\nare working to resolve issues presented by PwC as soon as possible.\n\nWe have the following comments on the status of SSA actions relating to the four prior PwC\nfindings highlighted in this OIG report:\n\nFinding II.B.2. (pages 3-4 of Appendix A)\n\nPwC recommended SSA complete the drafting and implementation of program service center\n(PSC) change control procedures and consider assigning the production environment to non-\nprogrammers. SSA agreed with this recommendation and reported that work on this\nrecommendation was complete. OIG determined that corrective action is not complete. SSA has\ndeveloped standardized change control procedures for the PSCs. However, a systems change\nstill needs to be made to limit programmer access to the production environment at the PSCs.\nSSA stated that it expected to complete this change by the end of April 2002. However, as of\nApril 2, 2002, this was not completed.\n\nComment\n\nThe requirement to implement the creation of profiles to establish the appropriate separation of\nduties for the PSCs is under review by SSA systems security staff. Once approved,\nimplementation should occur within 6 weeks.\n\nFinding V.A.5. (pages 28-29 of Appendix A)\n\nPwC recommended SSA enhance the current re-certification process by implementing a standard\nprofile for each position requiring access to the Financial Accounting System (FACTS), and a\nrequirement that access be requested in terms of the standard profile. SSA agreed with this\nrecommendation and reported that work on this recommendation would be completed by\nAugust 31, 2001. OIG determined that corrective action was not completed by August 31, 2001.\nSSA has created standard profiles for all of the FACTS users. However, as of April 5, 2002, a\nre-certification had not been completed. It is important that the re-certification process is\ncompleted to ensure that the level of access currently held by FACTS users matches their\nstandard profiles.\n\nComment\n\nRecertification of FACTS profiles was completed on May 6, 2002. The FACTS standard\nprofiles were completed on April 11, 2002. Therefore, we believe SSA has satisfied this audit\nfinding.\n                                               C-2\n\x0cFinding VI.B.1. (pages 40-41 of Appendix A)\n\nPwC recommended SSA document the process which should be followed regarding possible\ndisputes with Treasury and determine that Treasury is in agreement with all aspects of SSA\xe2\x80\x99s\nprocedures of estimating the tax revenues and for resolving discrepancies. SSA agreed with this\nrecommendation and reported that procedures would be in place by August 31, 2001. OIG\ndetermined that corrective action was not complete as of March 1, 2002. SSA did issue its\naccounting manual chapter; however, Treasury has not yet met with SSA to establish a\nMemorandum of Understanding (MOU). This is scheduled to take place sometime during FY\n2002. We feel that SSA should change its target date for completion of work on this\nrecommendation to \xe2\x80\x9cTo be determined \xe2\x80\x93 pending action by Treasury.\xe2\x80\x9d Although SSA has\ncompleted all work that it can at this time, SSA still has a responsibility to ensure that Treasury\xe2\x80\x99s\nMOU encompasses all aspects of SSA\xe2\x80\x99s procedures.\n\nComment\n\nWe are pleased that the OIG recognizes that SSA has fulfilled its portion of this audit finding.\nHowever, we do not agree that SSA should be held responsible for actions pending by an outside\nentity, in this instance the Department of the Treasury. We recently learned that Treasury has\nonce again delayed development of user agreements with the 15 trust fund managed agencies\n(including SSA) until FY 2003, focusing instead on agencies that maintain their own\ninvestments. Treasury plans to conduct a survey of the trust fund managed agencies prior to\ndevelopment of any agreements. However, if Treasury development of the various agency\nagreements is once again re-prioritized by Treasury, SSA will be unfairly held responsible in the\nmeantime. Since the roles and responsibilities of SSA and Treasury are already documented and\nwill be subsumed in Treasury\'s agreement, we see no need for this audit finding to remain open.\n\nFinding VI.C.2. (pages 44-45 of Appendix A)\n\nPwC recommended that SSA develop and document a comprehensive set of policies and\nprocedures regarding the Limitation on Administrative Expenses (LAE) program to outline how\ntransactions are processed, allocated, and reported. SSA agreed with the recommendation and\nstated that the documentation would be complete by August 31, 2001. OIG determined that\ncorrective action on this recommendation was not complete as of January 30, 2002. SSA had\ndrafted LAE Accounting and Reporting procedures in August 2001. SSA recently revised the\ndraft procedures, but has not completed this effort.\nComment\n\nThe accounting policies and procedures for the LAE program have been completed and\nimplemented.\n\n\n\n\n                                                 C-3\n\x0c                                                                      Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Frederick C. Nordhoff, Director, Financial Audit Division, (410) 966-6676\n   Victoria Vetter, Deputy Director, Financial Audit Division, (410) 966-9081\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Kristen Schnatterly, Auditor-in-Charge\n   Cheryl Robinson, Writer/Editor\n\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 966-1375.\nRefer to Common Identification Number A-15-02-12046.\n\x0c                            DISTRIBUTION SCHEDULE\n\n                                                                             No. of\n                                                                            Copies\n\nCommissioner of Social Security                                                1\nManagement Analysis and Audit Program Support Staff, OFAM                    10\nInspector General                                                              1\nAssistant Inspector General for Investigations                                 1\nAssistant Inspector General for Executive Operations                           3\nAssistant Inspector General for Audit                                          1\nDeputy Assistant Inspector General for Audit                                   1\n Director, Systems Audit Division                                              1\n Director, Financial Management and Performance Monitoring Audit Division      1\n Director, Operational Audit Division                                          1\n Director, Disability Program Audit Division                                   1\n Director, Program Benefits Audit Division                                     1\n Director, General Management Audit Division                                   1\nTeam Leaders                                                                 25\nIncome Maintenance Branch, Office of Management and Budget                     1\nChairman, Committee on Ways and Means                                          1\nRanking Minority Member, Committee on Ways and Means                           1\nChief of Staff, Committee on Ways and Means                                    1\nChairman, Subcommittee on Social Security                                      2\nRanking Minority Member, Subcommittee on Social Security                       1\nMajority Staff Director, Subcommittee on Social Security                       2\nMinority Staff Director, Subcommittee on Social Security                       2\nChairman, Subcommittee on Human Resources                                      1\nRanking Minority Member, Subcommittee on Human Resources                       1\nChairman, Committee on Budget, House of Representatives                        1\nRanking Minority Member, Committee on Budget, House of Representatives         1\nChairman, Committee on Government Reform and Oversight                         1\nRanking Minority Member, Committee on Government Reform and Oversight          1\nChairman, Committee on Governmental Affairs                                    1\nRanking Minority Member, Committee on Governmental Affairs                     1\nChairman, Committee on Appropriations, House of Representatives                1\n\x0cChairman, Committee on Appropriations, House of Representatives               1\nRanking Minority Member, Committee on Appropriations,\n House of Representatives                                                     1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations,\n House of Representatives                                                     1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n House of Representatives                                                     1\nChairman, Committee on Appropriations, U.S. Senate                            1\nRanking Minority Member, Committee on Appropriations, U.S. Senate             1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations, U.S. Senate               1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n U.S. Senate                                                                  1\nChairman, Committee on Finance                                                1\nRanking Minority Member, Committee on Finance                                 1\nChairman, Subcommittee on Social Security and Family Policy                   1\nRanking Minority Member, Subcommittee on Social Security and Family Policy    1\nChairman, Senate Special Committee on Aging                                   1\nRanking Minority Member, Senate Special Committee on Aging                    1\nPresident, National Council of Social Security Management Associations,\n Incorporated                                                                 1\nTreasurer, National Council of Social Security Management Associations,\n Incorporated                                                                 1\nSocial Security Advisory Board                                                1\nAFGE General Committee                                                        9\nPresident, Federal Managers Association                                       1\nRegional Public Affairs Officer                                               1\n\n\nTotal                                                                        96\n\x0c                  Overview of the Office of the Inspector General\n\n\n                                         Office of Audit\nThe Office of Audit (OA) conducts comprehensive financial and performance audits of the\nSocial Security Administration\xe2\x80\x99s (SSA) programs and makes recommendations to ensure\nthat program objectives are achieved effectively and efficiently. Financial audits, required\nby the Chief Financial Officers\' Act of 1990, assess whether SSA\xe2\x80\x99s financial statements\nfairly present the Agency\xe2\x80\x99s financial position, results of operations and cash flow.\nPerformance audits review the economy, efficiency and effectiveness of SSA\xe2\x80\x99s programs.\nOA also conducts short-term management and program evaluations focused on issues of\nconcern to SSA, Congress and the general public. Evaluations often focus on identifying\nand recommending ways to prevent and minimize program fraud and inefficiency, rather\nthan detecting problems after they occur.\n\n                             Office of Executive Operations\nThe Office of Executive Operations (OEO) supports the Office of the Inspector General\n(OIG) by providing information resource management; systems security; and the\ncoordination of budget, procurement, telecommunications, facilities and equipment, and\nhuman resources. In addition, this office is the focal point for the OIG\xe2\x80\x99s strategic planning\nfunction and the development and implementation of performance measures required by\nthe Government Performance and Results Act. OEO is also responsible for performing\ninternal reviews to ensure that OIG offices nationwide hold themselves to the same\nrigorous standards that we expect from SSA, as well as conducting investigations of OIG\nemployees, when necessary. Finally, OEO administers OIG\xe2\x80\x99s public affairs, media, and\ninteragency activities, coordinates responses to Congressional requests for information,\nand also communicates OIG\xe2\x80\x99s planned and current activities and their results to the\nCommissioner and Congress.\n\n\n\n                               Office of Investigations\nThe Office of Investigations (OI) conducts and coordinates investigative activity related to\nfraud, waste, abuse, and mismanagement of SSA programs and operations. This includes\nwrongdoing by applicants, beneficiaries, contractors, physicians, interpreters,\nrepresentative payees, third parties, and by SSA employees in the performance of their\nduties. OI also conducts joint investigations with other Federal, State, and local law\nenforcement agencies.\n\n                        Counsel to the Inspector General\nThe Counsel to the Inspector General provides legal advice and counsel to the Inspector\nGeneral on various matters, including: 1) statutes, regulations, legislation, and policy\ndirectives governing the administration of SSA\xe2\x80\x99s programs; 2) investigative procedures\nand techniques; and 3) legal implications and conclusions to be drawn from audit and\ninvestigative material produced by the OIG. The Counsel\xe2\x80\x99s office also administers the civil\nmonetary penalty program.\n\x0c'